Lawful Basis for Processing

At least one of these must apply whenever you process personal data. There may be more than one. Select the one which is appropriate to the activity you are doing:

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. Explicit consent requires a very clear and specific statement of consent.
2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
4. Vital interests: the processing is necessary to protect someone’s life.
5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Special data

We have already set out what special data is:
Special data is:
Special categories of personal data that reveals:

• racial or ethnic origin;
• political opinions;
• religious and philosophical beliefs;
• Trade Union membership;
• genetic data;
• biometric data for uniquely identifying a natural person; and
• sex life and sexual orientation.

Where you process special data then:
In order to lawfully process special category data, you must identify both a lawful basis and a separate condition. These do not have to be linked.
The conditions to be applied are:

• The data subject has provided explicit consent
• The processing is necessary for:
• carrying out the data controller's rights in the field of employment law, social security, and social protection;
• protecting the vital interests of the data subject when the data controller cannot obtain consent;
• establishing, exercising, or defending legal claims;
• reasons of substantial public interest;
• purposes of preventive or occupational medicine to assess the working capacity of a data subject, medical diagnosis, or for the provision of health or social care or treatment;
• reasons of public interest in the area of public health;
• archiving in the public interest; or
• scientific, historical research, or statistical purposes.
• The processing relates to the legitimate activities of certain non-profit organizations.
• The processing relates to personal data made public by the data subject.

Looking for Privacy Notice Help?

Buy Your Privacy Notice Online